Chinese providers fueling growth of DMARC email security standard

Share

Written by

More than three-quarters of the world’s email inboxes are secured against spammers and scammers with DMARC — a set of technical protocols designed to prevent the spoofing of email addresses, according to figures released Tuesday.

That’s a big rise from fewer than two-thirds in 2015 — growth driven in large part by the adoption of DMARC by Chinese email and internet providers, according to Dylan Tweney, head of communications at ValiMail, which compiled the figures.

“More than 2 billion more inboxes are protected by DMARC” than in 2015, he told CyberScoop, adding “maybe a half to two-thirds” of that growth was down to adoption by large Chinese providers, including NetEase and Tencent.

“We are approaching a tipping point for … herd immunity” from phishing and spam, Tweney said, borrowing a concept from immunology. “The more recipients implement DMARC, the more valuable it becomes for senders to adopt.”

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a technical standard and a set of best practices that prevent hackers from impersonating or spoofing an email address. The standards must be implemented at both ends of a message’s progress. When email comes from domains with a DMARC policy and hits inboxes protected with the standards, messages with spoofed addresses are diverted to a spam folder or just not delivered at all.

Using email account counts from research company Radicati, as well as ValiMail’s own analysis of public DMARC data from ISPs and cloud email providers going back two years, about 4.8 billion inboxes are currently protected by DMARC, Tweney said. That’s 76 percent of the 6.3 billion inboxes Radicati estimates exist worldwide.

That’s up from 2.7 billion inboxes with DMARC support in 2015 — only 62 percent of the 4.3 billion total that year.

The actual percentage of currently protected inboxes might be even higher than 76 percent, the ValiMail analysis states, because while the Radicati data includes enterprise email servers, the DMARC data ValiMail analyzed typically excludes corporate inboxes, unless they are provisioned by one of the large ISPs or cloud providers.

ValiMail looked at DMARC records from “about two dozen” major cloud email and internet service providers or ISPs — from AT&T, British Telecom and Comcast, through Gmail and Microsoft Office 365, to Italia Online, Mail.ru and Tencent. The list includes the companies that provide “the vast majority” of consumer and corporate email inboxes globally, Tweney said.

“DMARC is no longer an experimental technology, it’s now a standard supported by the overwhelming majority of providers,” Tweney said, “And not just in the English-speaking world.”

“The global increase in DMARC adoption by ISPs is very, very good news,”added Phil Reitinger, president and CEO of the Global Cyber Alliance. “Businesses that deploy DMARC now have even more assurance that their global customers, including for online banking, won’t be phished [by hackers impersonating the real business] And it’s great news for the subscribers of those ISPs as well, because they are less likely to be phished.”

The alliance is a nonprofit supported by law enforcement that promotes scalable technical fixes for internet security problems. It co-published the figures with ValiMail.

But in some countries — France, Germany, Japan — adoption is lagging, Tweney acknowledged. In the case of Japan it might be that “the rest of the world has leapfrogged over the early adopters of email technology.”

In Germany, he said, ValiMail “heard anecdotally” that “strict privacy laws may have caused some concerns” about DMARC. In one setting, the technology can generate individual “failure reports” to the domain owner when a suspected spoofed email is undelivered — and those reports can contain personal data in either the header or the content of the email.

But most providers now get only “aggregate failure reports which contain no PII,” Tweney explained, adding Hotmail and NetEase were the only two large providers that still allowed the sending of individual failure reports. “It’s really an outdated … approach,” he said, which shouldn’t be a barrier to adoption.